Security Overview

CodePlanet takes security seriously. This document outlines our security architecture, practices, and how we protect your data.

Security Principles

1. Defense in Depth

Multiple layers of security at every level — network, application, database, and user.

2. Least Privilege

Every component has only the permissions it needs. Users can only access their own data.

3. Secure by Default

Security features are enabled by default. Opt-out requires explicit action.

4. Transparency

We document our security practices so you understand how we protect your data.

Architecture Security

┌─────────────────────────────────────────────────────────────────────────┐
│                         Security Layers                                  │
├─────────────────────────────────────────────────────────────────────────┤
│  ┌─────────────────┐                                                    │
│  │   Edge Layer    │  • DDoS protection (Cloudflare/Vercel)            │
│  │                 │  • TLS 1.3 encryption                              │
│  │                 │  • Rate limiting                                   │
│  └────────┬────────┘                                                    │
│           │                                                              │
│  ┌────────▼────────┐                                                    │
│  │   API Layer     │  • Input validation                                │
│  │                 │  • Authentication (JWT/API keys)                   │
│  │                 │  • Authorization checks                            │
│  └────────┬────────┘                                                    │
│           │                                                              │
│  ┌────────▼────────┐                                                    │
│  │   Database      │  • Row-Level Security (RLS)                        │
│  │                 │  • Encrypted at rest                               │
│  │                 │  • Connection pooling                              │
│  └─────────────────┘                                                    │
└─────────────────────────────────────────────────────────────────────────┘

Authentication

Session-Based Auth

For browser clients, we use Supabase Auth with secure HTTP-only cookies:

// Server-side session check
import { createClient } from "@/lib/supabase/server";
 
const supabase = await createClient();
const { data: { user }, error } = await supabase.auth.getUser();
 
if (!user) {
  return Response.json({ error: "Unauthorized" }, { status: 401 });
}

API Key Auth

For programmatic access, API keys are used:

const apiKey = request.headers.get("X-API-Key");
const { data, error } = await supabase
  .from("api_keys")
  .select("*")
  .eq("key_hash", hashApiKey(apiKey))
  .single();

API keys are:

Hashed before storage (never stored in plain text)
Scoped to specific permissions
Revocable at any time
Rate-limited by tier

Input Validation

All API endpoints validate inputs rigorously:

// UUID validation
const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
 
if (!UUID_REGEX.test(userId)) {
  return Response.json({ error: "Invalid user ID" }, { status: 400 });
}
 
// Plan validation
const VALID_PLANS = ["free", "developer", "pro"] as const;
if (!VALID_PLANS.includes(planId)) {
  return Response.json({ error: "Invalid plan" }, { status: 400 });
}

Row-Level Security (RLS)

Every table in Supabase has RLS policies that ensure users can only access their own data:

-- Users can only read their own profile
CREATE POLICY "Users can read own profile"
ON public.profiles
FOR SELECT
USING (auth.uid() = user_id);
 
-- Users can only update their own profile
CREATE POLICY "Users can update own profile"
ON public.profiles
FOR UPDATE
USING (auth.uid() = user_id);
 
-- Submissions are private to the user
CREATE POLICY "Submissions are private"
ON public.submissions
FOR ALL
USING (auth.uid() = user_id);

Encryption

In Transit

All traffic uses TLS 1.3
HSTS enabled with 1-year max-age
Certificate pinning for mobile apps

At Rest

Database encrypted with AES-256
Backups encrypted
API keys hashed with bcrypt

Rate Limiting

To prevent abuse, all endpoints are rate-limited:

Endpoint Type	Free Tier	Developer	Pro
API calls	100/hour	1000/hour	5000/hour
Submissions	50/day	200/day	Unlimited
Auth attempts	5/minute	5/minute	5/minute

Rate limit headers are included in every response:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1699999999

Payment Security

PCI Compliance

We never handle card data directly. All payment processing goes through Razorpay, which is PCI-DSS Level 1 certified.

Signature Verification

All payment callbacks are verified using timing-safe comparison:

import crypto from "crypto";
 
const isValid = crypto.timingSafeEqual(
  Buffer.from(receivedSignature),
  Buffer.from(expectedSignature)
);

Security Headers

Our application sets the following security headers:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://checkout.razorpay.com
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@acodeplanet.tech
Do not disclose publicly until we've addressed it
We commit to responding within 48 hours
Eligible reports may receive a bounty

Security Checklist

Practice	Status
HTTPS everywhere	✅
Secure cookies	✅
CSRF protection	✅
SQL injection prevention	✅ (RLS + parameterized queries)
XSS prevention	✅ (React escaping + CSP)
Password hashing	✅ (Supabase Auth)
Rate limiting	✅
Input validation	✅
Audit logging	✅
Regular security audits	✅

Compliance

GDPR: Data export and deletion available
CCPA: California privacy rights supported
SOC 2: Supabase infrastructure is SOC 2 Type II certified

Next Steps

Row-Level Security — Deep dive into database security
API Security — Secure API communication
Data Privacy — Your data rights

On this page